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INTRODUCTION 

In  April  2015,  the  Tactical  Applications  (TacApps)  Team  within  the  U.S.  Army  Armament 
Research,  Development  and  Engineering  Center,  Picatinny  Arsenal,  NJ,  Weapons  and  Software 
Engineering  Center  was  assigned  a  task  to  analyze  the  national  enterprise  data  portal  (NEDP),  a 
foundational  component  of  the  sustainment  system  mission  command.  The  analysis  focused  on 
identifying  issues  related  to  potential  future  efforts  to  integrate  NEDP  data  feeds  into  the  TacApps 
architecture.  One  critical  area  of  concern  identified  during  the  analysis  was  the  fact  that  much  of  the 
NEDP  data  originates  from  unclassified  networks,  while  the  TacApps  databases  will  typically  reside 
on  classified  networks.  Transferring  data  from  unclassified  networks  to  classified  and  back  poses  a 
challenge,  especially  for  large  volumes  of  time-sensitive  data.  The  TacApps  chief  engineer 
performed  an  investigation  and  literature  search  into  potential  technologies  and  strategies  that  could 
mitigate  these  issues.  This  report  describes  the  findings  of  those  efforts,  including  several  potential 
solutions. 


STRATEGIES 


Manual  (Swivel-Chair) 

The  manual  method  of  transferring  data  between  networks,  colloquially  the  “swivel-chair”  or 
“sneaker  net”  method,  involves  burning  unclassified  data  to  a  compact  disc,  digital  video  disc,  or 
other  form  of  media.  The  burned  data  is  then  manually  loaded  onto  a  machine  on  the  classified 
network.  This  method  is,  not  surprisingly,  time-consuming  and  prone  to  human  error  (ref.  1).  It  has 
been  shown  to  be  insecure  and  lacking  in  procedural  integrity  (ref.  1).  Despite  these  drawbacks,  it  is 
often  the  standard  method  by  which  data  is  transferred  between  networks. 

Transferring  data  from  classified  to  unclassified  networks  operates  in  much  the  same  way 
except  that  the  data  must  be  reviewed  by  a  designated  security  officer  before  it  can  be  declassified 
and  moved  into  the  unclassified  network.  This  is  even  more  time-consuming  than  the  reverse,  and 
anecdotal  evidence  points  to  the  tendency  of  security  officers  to  naturally  err  on  the  side  of  caution  - 
preventing  potentially  unclassified  data  from  leaving  the  classified  network  in  the  event  of  any 
uncertainty. 

Unidirectional  Network  Bridge  (Data  Diode) 

A  unidirectional  network  bridge,  also  referred  to  as  a  unidirectional  security  gateway  or  a  data 
diode,  is  a  combination  of  hardware  and  software  used  to  connect  two  separated  networks.  The  sole 
purpose  of  a  unidirectional  network  bridge  is  to  allow  data  to  travel  only  in  one  direction;  specifically, 
from  one  network  into  another  (ref.  1).  They  are  most  commonly  found  in  high  security  environments 
where  they  connect  two  or  more  networks  of  differing  security  classifications.  Unidirectional  network 
bridges  only  physically  allow  data  transfer  to  occur  in  one  direction,  making  it  physically  impossible 
to  transfer  data  in  the  opposite  direction  (refs.  1  and  2).  There  are  several  ways  to  achieve  this  goal; 
one  popular  method  is  to  use  a  modified  fiber  optic  link  as  part  of  the  network  cable  (ref.  1 ).  Using 
this  method,  one  cable  end  contains  a  data  transmitter  while  the  other  contains  a  receiver.  As  a 
result,  it  is  physically  impossible  for  data  to  travel  in  the  opposite  direction  without  additional 
hardware  (ref.  1 ).  Often  software  is  employed  in  some  fashion  in  order  to  account  for  the 
requirements  of  certain  applications  such  as  websites,  which  require  a  handshake  in  order  to 
establish  an  initial  connection  before  data  can  be  sent  (ref.  2).  Figure  1  shows  a  typical  data  diode 
hardware/software  implementation. 
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Note:  A  data  diode  server  terminates  full  duplex  protocols  at  each  end  with  proxy  servers  while  permitting  only  one¬ 
way  traffic  between  the  proxies  (ref.  2). 


Figure  1 

Data  diode  (ref.  2) 

Unidirectional  network  bridges  suffer  several  major  drawbacks.  The  first  of  these  is  the 
inability  to  move  data  from  a  secure  to  an  insecure  network.  This  results  in  the  use  of  manual 
“swivel-chair”  or  “sneaker  net”  processes  to  cover  the  gap  (ref.  1 ).  However,  one  technical  solution 
to  this  issue  is  to  use  a  second  unidirectional  network  bridge  to  transfer  data  from  a  secure  to 
insecure  network.  This  may  appear  to  defeat  the  purpose  of  the  bridge,  but  using  this  solution,  both 
the  insertion  point  and  the  exit  point  of  data  are  separate  and  can  be  tightly  controlled.  This  does 
effectively  prevent  the  comingling  of  data  and  is  used  in  industry  to  perform  functions  such  as 
streaming  video  and  audio  from  secure  to  insecure  networks  (ref.  1). 

A  second  disadvantage  lies  in  the  fact  that  the  receiving  end  of  the  unidirectional  network 
bridge  must  have  total  availability,  as  any  downtime  experienced  will  result  in  missed  data  (ref.  1). 
There  is  no  method  to  accurately  synchronize  transferred  data.  This  is  of  particular  concern  in 
environments  that  require  a  high  level  of  data  integrity.  Several  methods  are  available  to  overcome 
this  problem,  such  as  broadcasting  through  multiple  unidirectional  network  bridges  at  once,  sending 
data  to  multiple  receivers,  or  sending  a  single  file  multiple  times  over  the  same  unidirectional  network 
bridge  (ref.  1 ).  None  of  these  methods  can  guarantee  delivery,  but  they  reduce  the  probability  of  an 
error  occurring. 

A  third  disadvantage  is  inherent  to  the  design  of  the  unidirectional  network  bridge;  due  to  the 
unidirectional  nature  of  the  system,  transmission  control  protocol  (TCP)  messages  cannot  be  sent 
over  the  bridge  (ref.  1 ).  The  TCP  messages  require  two-way  communications;  as  these  are 
physically  prevented  by  the  bridge,  TCP  is  not  a  viable  protocol.  Instead,  user  datagram  protocol 
(UDP)  must  be  used.  The  UDP  is  typically  used  when  speed  is  a  higher  priority  than  data  integrity, 
such  as  in  music  or  video  streaming  where  missed  bytes  can  be  ignored  by  a  user.  Many  defense 
applications  implement  their  networks  using  TCP,  so  if  these  applications  were  to  require  data 
transfer  using  a  unidirectional  network  bridge,  they  would  also  require  code  modification. 

Finally,  all  practical  implementations  of  unidirectional  network  bridges  are  built  by  different 
companies.  There  are  currently  no  standards  body  and  no  specifications  system;  hence,  every 
implementation  is  proprietary  (ref.  1).  This  drives  up  costs  and  prevents  compatibility  between 
different  implementations. 

Guard 


In  information  security,  a  guard  is  a  combination  of  hardware  and  software  used  to  provide 
secure  data  transfer  between  two  information  domains  (ref.  2).  There  are  many  different  types  of 
guards  with  different  functionalities,  but  each  guard  implements  essentially  the  same  basic  function: 
to  protect  networks  at  their  boundaries  and  secure  data  transfer  between  those  networks.  In  many 
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respects,  a  guard  is  like  a  firewall,  but  guards  generally  provide  much  more  functionality  than 
firewalls  in  order  to  address  the  problems  of  data  exchange  between  information  domains  (ref.  2). 
Guards  validate  whether  or  not  data  transfer  can  take  place  by  enforcing  defined  data  release  policy 
(ref.  3). 


Guards  are  distinguished  from  firewalls  in  three  major  ways:  they  have  stronger  application 
filtering  capability,  typically  using  a  reclassifier  application  to  control  data  transfer  between  enclaves; 
they  have  higher  assurance  requirements;  and  they  undergo  more  extensive  test  and  evaluation  to 
provide  a  higher  level  of  confidence  (ref.  4).  Several  types  of  guards  exist,  including  multiple  single 
levels  of  security,  multilevel  security,  low  to  high,  high  to  low,  and  bidirectional  (ref.  2). 


CURRENT  TECHNOLOGY  SOLUTIONS 

Based  on  the  available  strategies  described  previously,  a  guard  is  clearly  the  optimal  solution 
for  TacApps  from  a  functional  standpoint.  Guards  allow  data  to  move  in  both  directions  provided  the 
constraints  are  met,  and  automate  the  process  of  reviewing  data.  In  order  to  provide  timely, 
accurate  data  to  a  system  requiring  frequent  updates,  a  guard  may  be  the  only  viable  solution. 
However,  if  moving  data  from  unclassified  networks  to  classified  and  not  necessarily  back  is 
acceptable  to  meet  system  requirements,  a  unidirectional  network  bridge  could  also  be  a  viable 
solution  as  it  is  likely  less  costly  and  easier  to  maintain.  Several  of  the  more  promising  solutions  are 
described  in  this  report;  this  is  not  an  exhaustive  list. 

Data  Diode  (Government  Off-the-shelf):  Tactical  Army  Cross-domain  Information  Sharing 

The  Tactical  Army  Cross  Domain  Information  Sharing  (TACDIS)  is  a  small  form  factor  data 
diode  that  allows  communications  from  low-level  unclassified  networks  up  to  high-level  secret 
classified  networks.  Created  at  the  Communications-Electronics  Research,  Development  and 
Engineering  Center  (CERDEC),  Aberdeen  Proving  Ground,  MD,  the  TACDIS  tool  is  an  easy-to- 
connect  cable  that  will  enhance  situational  awareness  at  higher  echelons  to  protect  troops  at  the 
tactical  edge  (ref.  5).  It  is  designed  to  connect  the  Rifleman  Radio  on  the  low  end  with  Nett  Warrior 
end  user  devices  on  the  high  end.  The  Nett  Warrior  program  is  sponsoring  the  certification  process 
for  the  TACDIS.  The  TACDIS  allows  the  capability  to  provide  unclassified  position  location 
information  to  higher  classified  systems  (ref.  5). 

Information  from  the  lower  echelons  can  feed  into  the  higher  system  at  various  intervals 
ranging  from  every  30  sec  to  three  times  per  minute  (ref.  5).  Information  regarding  bandwidth  limits 
was  not  available.  Fielding  for  TACDIS  is  projected  to  begin  in  201 5  at  the  earliest  (ref.  5).  Figure  2 
shows  the  TACDIS  cable. 
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Figure  2 

TACDIS  cable  (ref.  5) 

Data  Diode  [Commercial  Off-the-shelf  (COTS)]:  Net  Optics  Tap 

Net  optics  produces  a  number  of  both  fiber  and  copper  network  taps  that  also  serve  as 
unidirectional  network  bridges.  These  taps  connect  network  monitoring  applications  that  use 
unidirectional  communications  intrinsically,  because  mirrored  copies  of  network  traffic  flow  one  way, 
to  the  monitoring  tool,  and  not  the  other  way,  from  the  monitoring  tool  back  to  the  network  (ref.  6). 
Network  taps  are  therefore  natural  data  diodes,  and  are  a  secure  way  to  connect  a  monitoring  tool  to 
the  network  (ref.  6).  Many  other  tools  such  as  this  exist  and  have  been  built  by  other  companies. 
There  are  likely  many  viable  solutions  in  this  domain. 

Guard  (Government  Off-the-shelf):  Radiant  Mercury 

The  trusted  information  system  Radiant  Mercury  (RM)  is  a  Government  off-the-shelf  (GOTS) 
guard  solution  that  successfully  provides  accredited  cross  domain  solutions  to  the  U.S.  Navy, 
Department  of  Defense  (DoD),  and  intelligence  community  (ref.  7).  Among  other  customers,  the 
system  is  used  by  the  Joint  Battle  Command  Platform  Network  Operations  Center  to  channel  data 
from  unclassified  to  classified  networks.  Some  of  the  system’s  other  customers  include  Combatant 
Commanders,  U.S.  Air  Force  (Shared  Early  Warning  Program),  U.S.  Army  (Blue  Force  Tracking 
Program),  U.S.  Navy  (Global  Command  and  Control  System-Maritime  and  Automatic  Identification 
System,  Maritime  Operations  Centers,  Distributed  Common  Ground  System-Navy,  Tactical  Ranges, 
and  numerous  other  DoD  and  intelligence  agencies  (ref.  7). 

The  RM  is  a  bidirectional  guard;  it  has  the  capability  to  channel  properly  marked  data  from 
classified  to  unclassified  networks  and  back  (ref.  7).  However,  it  appears  that  Intelligence  and 
Security  Command  has  only  certified  RM  to  transfer  data  from  unclassified  to  classified  networks.  It 
would  likely  be  difficult  to  certify  a  high  to  low  data  transfer,  but  it  does  appear  possible.  Also,  no 
information  was  available  regarding  bandwidth  constraints  or  other  performance  parameters.  Figure 
3  diagrams  the  RM  data  flow. 
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Figure  3 
RM  data  flow 

Guard  (Government  Off-the-shelf):  Information  Support  Server  Environment  Guard 

The  information  support  server  environment  (ISSE)  guard,  also  called  ISSE  Star  Guard,  is  a 
GOTS  product  developed  for  the  U.S.  Air  Force.  It  provides  intelligence  information,  movement  of 
fixed  formatted  message  traffic,  extensible  markup  language,  Microsoft  office  files,  emails,  text  chat, 
imagery,  and  many  additional  types  of  data  across  security  domains.  The  system  is  a  bidirectional 
guard  capable  of  enabling  data  flow  from  a  single  high  side  network  to  up  to  eight  low  side 
destinations.  At  present,  there  are  certified  and  accredited  versions  of  ISSE  fielded  at  U.S. 
Government  agencies  and  various  other  military  sites  around  the  world.  Information  on  performance 
parameters  for  the  ISSE  guard  was  not  available. 

Guard  (Commercial  Off-the-shelf):  Cross-domain  Enterprise  All-source  User  Repository 

One  commercially  available  guard  solution  is  the  high-speed  guard  cross-domain  security 
solution  used  by  the  cross-domain  enterprise  all-source  user  repository  (CENTAUR).  This  guard  is 
COTS  software.  One  drawback  of  CENTAUR’S  guard  is  that  it  has  limited  functionality  to  handle 
high  volume;  based  on  analysis,  it  can  handle  pilot  deployment,  and  it  can  handle  zip  files  at 
intervals  of  approximately  five  minutes  or  so,  depending  on  the  data  (ref.  8). 

The  CENTAUR  was  prevalent  in  several  key  systems  during  the  Empire  Challenge  2010  and 
201 1  exercises  at  Fort  Huachuca,  AZ  (refs.  3  and  9).  During  these  tests,  CENTAUR  exchanged 
intelligence,  surveillance,  and  reconnaissance  (ISR)  information  with  the  United  States  and 
multinational  partners  at  sites  worldwide  using  proven,  secure,  cross-domain  technologies  (refs.  3 
and  9).  The  CENTAUR  automates  the  process  of  pushing  data  between  classified  and  unclassified 
systems  and  enables  web-based  queries  to  electronically  transfer  information  (ref.  3).  The  high¬ 
speed  guard  component  validates  security,  ISR  information  markings,  and  data  structure  prior  to 
transferring  the  information  between  security  domains  (ref.  3). 

As  of  201 1 ,  a  CENTAUR  system  was  in  use  at  Fort  Gordon,  GA,  and  under  test  at  other 
domestic  and  international  locations  (ref.  3). 
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CONCLUSIONS 

A  number  of  different  types  of  data  transfer  solutions  were  examined  as  a  part  of  this  study. 
Several  potential  government  off-the-shelf  and  commercial  off-the-shelf  data  diode  and  guard 
solutions  were  identified.  This  should  not  be  considered  an  exhaustive  list.  Additional  solutions 
exist,  but  this  study  demonstrates  that  solutions  are  available  with  varying  degrees  of  applicability  to 
the  tactical  applications  (TacApps)  effort.  If  a  solution  is  needed,  further  down-selection  should  be 
performed  using  a  well-established  and  agreed-upon  set  of  criteria  such  as  cost,  specific  types  of 
functionality,  availability,  and  others.  The  solutions  described  in  this  report  are  prime  candidates  for 
such  a  selection. 
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